- title: "Non-expiring access tokens"
  announcement_milestone: "15.4"
  removal_milestone: "16.0"
  breaking_change: true
  reporter: hsutor
  body: |  # Do not modify this line, instead modify the lines below.
    Access tokens that have no expiration date are valid indefinitely, which presents a security risk if the access token
    is divulged. Because access tokens that have an exipiration date are better, from GitLab 15.3 we
    [populate a default expiration date](https://gitlab.com/gitlab-org/gitlab/-/issues/348660).

    In GitLab 16.0, any [personal](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html),
    [project](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html), or
    [group](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html) access token that does not have an
    expiration date will automatically have an expiration date set at one year.

    We recommend giving your access tokens an expiration date in line with your company's security policies before the
    default is applied:

    - On GitLab.com during the 16.0 milestone.
    - On GitLab self-managed instances when they are upgraded to 16.0.
  stage: Manage
  tiers: [Free, Premium, Ultimate]
  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/369122
